U.S. Government Publishes New Insider Threat Program Maturity Framework

Some 18 months after WikiLeaks began to publish the Iraq War Logs exfiltrated by Chelsea Manning (at that time, Bradley Manning), President Obama issued a Presidential Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Memorandum for the Heads of Executive Departments and Agencies.

"The resulting insider threat capabilities," it said, "will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security."

It clearly didn't work. A year later, the Edward Snowden leaks began to appear -- and leaks have continued ever since. In 2016, the hacking group known as Shadow Brokers began to leak NSA tools (including the EternalBlue details that were used by WannaCry and NotPetya); but there have been suggestions that the documents were initially leaked to the Shadow Brokers by NSA contractor Hal Martin.

In 2017, the Vault 7 (CIA files) began to appear. In June 2018, Joshua Adam Schulte -- a former employee of first the NSA and then the CIA -- was charged with the theft of the classified CIA documents published by WikiLeaks.

On November 1, 2018, the National Insider Threat Task Force (NITTF), operating under the joint leadership of the Attorney General and the Director of National Intelligence, published a new Insider Threat Program Maturity Framework (PDF). The purpose, announced a statement from the Office of the Director of National Intelligence, is "to help executive branch departments and agenciesí insider threat programs advance beyond the Minimum Standards to become more proactive, comprehensive, and better postured to deter, detect, and mitigate insider threat risk."

The new Framework takes key elements from the Obama 'minimum standards' memorandum and enhances and expands them so that departments and agencies (D/As) using them can "garner greater benefits from insider threat program resources, procedures, and processes." It comprises 19 elements that each identifies an attribute of an advanced Insider Threat Program (InTP). Each element, according to the introduction to the Framework, "provides amplifying information to assist programs in strengthening the effectiveness of the associated minimum standard."

This Framework is specifically designed for government departments and agencies, and its primary purpose is to defend national security rather than capitalist IP. D/As are very different in make up, mission and culture to private industry -- but private industry has its own potentially larger insider threat to manage. There will be a temptation for private industry to seek to adopt the same framework.

For example, David Wilcox, VP of federal for Dtex Systems, has commented, "The Dtex annual insider threat intelligence report revealed that insider threats are active in all industries, including government. This Framework comes at a pivotal time, when insider threats are on the rise and the damages they cause are increasing. This framework points out key elements for addressing insider threats, which could be used by any industry to reduce related risks."

Some of the Framework's elements could certainly be transposed to and used by private industry. Others will need to be approached with caution. For example, the very first element describes "the joint responsibility and commitment of D/A and InTP leadership to develop InTP infrastructure and personnel and promote the importance of addressing the insider threat at a level sufficient to create an effective and enduring Program."

The third element says, "It is crucial for InTPs in countering the insider threat to maintain compliance with changes in the policy, legal, regulatory, workforce, and technology environments of their D/A. The InTP can remain current through participation in D/A forums involved in policy-making, regulatory developments, and technology infrastructure advances to assess the impact of any changes on Program compliance and effectiveness."

This is already beginning to look like a new department with a high-level and highly specialist leadership that will undoubtedly be expensive. With companies already questioning the need to have new Data Processing Officer -- as required by GDPR -- the need for more expense that is not required by law will undoubtedly be questioned. Any organization seeking to use the Framework as a guide for its own insider threat program will first need to distil the guidelines into something affordable.

There are more banana skins for private industry in the Framework. Element 7 describes an insider threat awareness training requirement -- which is good practice. But where do you go from there? "InTPs can drive cultural change within their D/As and build a culture of insider threat awareness and responsibility for reporting potential insider threats through communications campaigns."

The danger here is that it could lead to at least subtle encouragement for staff to report each other as potential insider threats. That could easily go horribly wrong and lead to a deteriorating workplace culture.

This is not to say that the Framework is devoid of good practices that could transpose to private industry. Elements 14 and 15 offer advice on insider threat detection. The former suggests the use of advanced analytics and anomaly detection. Such tools, suggest Element 14, "can help manage large data volume as a first step in establishing a baseline from which to identify anomalous behavior. Data analytic tools can help insider threat analysts to contextualize the behavior in supporting decisions to conduct inquiries, refer matters to response elements, and/or develop mitigation strategies."

Element 15 is more creepy, but could be managed if implemented carefully. "Each employee responds to events and conditions in their work and personal lives differently -- that response, positive or negative, is a key concern for an InTP. A program with access to personnel with behavioral sciences expertise, either through internal D/A or affiliated resources, can strengthen its capabilities to identify and assess types of concerning behavior, contextualize the behavior, discern unconscious biases and propose alternative hypotheses."

This is the use of the expanding field of behavioral science. It would require monitoring staff emails and chats, but has the advantage of being, or at least appearing to be, impersonal. In 2017 a paper published by the Intelligence and National Security Alliance (INSA) suggests psycholinguistic analysis could detect the development of an insider threat before the threat becomes a reality.

The paper discusses what it calls counterproductive work behaviors (CWBs). It asserts that malicious insiders do not start work as malicious insiders, but that life and work pressures and stresses create them. Escalating CWBs can be detected through psycholinguistic analysis of emails, personal blogs, chats and tweets -- the theory being that an unhappy employee can be detected and helped before he or she becomes a malicious insider employee.

Despite concerns that private industry should perhaps not attempt to transpose the Framework verbatim into the workplace, there is nevertheless much that is good that could form the basis of good practice in insider threat protection. While it has been designed for government departments and agencies, it could still be useful to private organizations if they cherry-pick.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.